Security & Trust
Last updated June 1, 2026
This page is the canonical, plain-language summary of how A11yward protects customer data, who we share it with, and where our compliance program actually stands. We state status precisely — capabilities the product provides today are marked Supported; third-party audits we have not yet undergone are marked Planned. We don't claim certifications we don't hold.
Compliance posture
| Framework | Status | Detail |
|---|---|---|
| WCAG 2.1 / 2.2 AA | Supported | The scanner evaluates monitored pages against WCAG 2.1/2.2 AA success criteria and produces issue reports and exportable evidence. This is product output, not a third-party conformance certification of your site. |
| European Accessibility Act (EAA) / EN 301 549 | Self-assessed | Findings are mapped to EN 301 549 / EAA expectations to support your accessibility statement and VPAT. We evidence the technical checks; organizational and manual-testing obligations remain the customer's responsibility. |
| GDPR / UK DPA 2018 / Swiss FADP | Supported | Art. 28 Data Processing Addendum with EU Standard Contractual Clauses (Module 2), UK Addendum, and Swiss adaptations available to every customer. |
| CCPA / US state privacy | Supported | Covered by the same DPA on request. |
| SOC 2 Type II | Planned | Not yet started. We build to the Trust Services Criteria and can export supporting evidence, but we do not hold a SOC 2 report. Update this in lib/trust.ts when real. |
| Independent penetration test | Planned | Planned before / at first enterprise deployment. We have not yet commissioned a third-party penetration test; we will publish a summary when we do. |
What we store (and what we don't)
- Passwords are hashed with scrypt. We store only the scrypt hash; the plaintext password is never persisted.
- Sessions use secure cookies. Session state is bound to a server-side record and your authenticated organization.
- We scan your site, not your users. Scan results record accessibility issues found on the pages you designate — not your end users' personal data.
- Encryption in transit. All access to the Service is over TLS.
SSRF protection on scan targets
Because the Service fetches URLs you submit, the crawler runs behind SSRF guards that block requests to internal, link-local, and otherwise unauthorized hosts. This keeps the scanner from being used to reach infrastructure it shouldn't — yours or ours.
Tenant isolation
Every monitored site, scan result, API key, and team membership is foreign-keyed to an organization_id, and all reads filter on the organization bound to your authenticated session. There is no cross-tenant surface in the product.
Data residency
Primary processing and storage in the EU/EEA (Fly.io, Frankfurt). We keep customer account data, monitored-site configuration, and scan results within the EU/EEA, consistent with the EU/EEA data-residency commitment on our pricing page.
Tamper resistance & integrity
Account records and scan evidence are handled with tamper-resistant practices so the reports you rely on for compliance reflect what the scanner actually observed.
Authenticated (login-behind) scanning
When you opt into authenticated scanning and supply credentials so we can reach pages behind your login, those credentials are used only to perform the scans you configure. You control which sites and URLs are scanned and can revoke access at any time.
Sub-processors
We use the following sub-processors to deliver the Service. We give customers 30 days' advance notice of material additions, with a right to object. This list is also incorporated into Annex B of our DPA.
| Sub-processor | Purpose | Location | Transfer |
|---|---|---|---|
| Fly.ioHash, Inc. | Cloud hosting, application infrastructure, and primary data storage | EU (Frankfurt) primary | SCCs + DPA |
| ResendHopjump, Inc. | Transactional email delivery (sign-in, alerts, scan digests) | US | SCCs + DPA |
| StripeStripe Payments Europe Ltd. | Payment processing and billing (paying customers only) | Ireland (EU) | DPA |
Vulnerability disclosure
Found a security issue? Email deniz@promptward.ai. We commit to acknowledging within 24 hours and resolving critical issues within 30 days. Please give us a reasonable window to remediate before public disclosure; we will not pursue good-faith researchers.
Incident & breach notification
In the event of a personal-data breach, we notify affected customers without undue delay and within 72 hours of becoming aware, per GDPR Art. 33. Operational status is published on /status.
Contacts
Security: deniz@promptward.ai
Privacy & data protection: deniz@promptward.ai